Mko Posted August 4, 2012 Share Posted August 4, 2012 Hey all, I have the following code: $db2 = new mysqli('localhost', 'root', '', 'vbulletin'); $db2->connect(); include_once("./vb_plugin.php"); $query = "UPDATE players SET mgroup = '{$vbulletin->GPC['user']['usergroupid']}', mgroup_others='{$vbulletin->GPC['user']['membergroupids']}', name='{$vbulletin->GPC['user']['username']}'"; if (!empty($vbulletin->GPC['password'])){ $salt = fetch_user_salt_new(); $hash = fetch_user_hash_new(); $query .= ", phash='{$hash}', psalt='" .$salt. "'"; } $groups = ""; if (is_array($vbulletin->GPC['user']['membergroupids'])) { foreach ($vbulletin->GPC['user']['membergroupids'] AS $key => $val){ $groups .= "{$val},"; } } $query .= ", mgroup_others='{$groups}'"; $query .= " WHERE id = {$vbulletin->GPC['userid']}"; $db2->query($query); $db2->close(); I'm wondering: a) If anyone can help me with making this code's queries into prepared statements b) If prepared statements can't be used, is this code vulnerable at all? Thanks for any help, Mark Quote Link to comment https://forums.phpfreaks.com/topic/266676-converting-some-php-code-into-mysqli-prepared-statements/ Share on other sites More sharing options...
cpd Posted August 4, 2012 Share Posted August 4, 2012 We technically can't determine whether or not its safe as the $vbuletin object may have performed some sort of process on the data before using it in the query. However, taking your skill level into account I'd assume its not safe. You need to firstly read up on PDO prepared statements and how to use them then relate it to your current code and implement it. Typically you'll prepare a statement using PDO::prepare($sql); then bind the parameters to the statement using PDOStatement::bindParam();. When you read up on PDO it'll make more sense. Quote Link to comment https://forums.phpfreaks.com/topic/266676-converting-some-php-code-into-mysqli-prepared-statements/#findComment-1366783 Share on other sites More sharing options...
Mko Posted August 4, 2012 Author Share Posted August 4, 2012 We technically can't determine whether or not its safe as the $vbuletin object may have performed some sort of process on the data before using it in the query. However, taking your skill level into account I'd assume its not safe. You need to firstly read up on PDO prepared statements and how to use them then relate it to your current code and implement it. Typically you'll prepare a statement using PDO::prepare($sql); then bind the parameters to the statement using PDOStatement::bindParam();. When you read up on PDO it'll make more sense. What I really need to do is be able to append new query parts to the existing query at the beginning using Prepared Statements. Quote Link to comment https://forums.phpfreaks.com/topic/266676-converting-some-php-code-into-mysqli-prepared-statements/#findComment-1366784 Share on other sites More sharing options...
cpd Posted August 5, 2012 Share Posted August 5, 2012 Within the select/where? Just keep appending data to a string, then prepare the string, bind parameters and execute... Quote Link to comment https://forums.phpfreaks.com/topic/266676-converting-some-php-code-into-mysqli-prepared-statements/#findComment-1366922 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.